An unauthenticated remote attacker could alter a SAM-2 challenge,affecting the prompt text seen by the user or the kind of responsesent to the KDC. Under some circumstances, this can negate theincremental security benefit of using a single-use authenticationmechanism token. An unauthenticated remote attacker has a 1/256chance of forging KRB-SAFE messages in an application protocol if thetargeted pre-existing session uses an RC4 session key. Few applicationprotocols use KRB-SAFE messages (CVE-2010-1323).